Many digital, networked devices, such as computers and reproduction apparatus, include the ability to authenticate a user of the apparatus. This is particularly true for providers of publicly accessible equipment that requires authentication for access, such as public computer terminals, photocopiers, and printers, but can also be true of devices within a company that track resource usage and allocate expenditures by user and/or department. Such authentication over the network is often performed using protocols such as Kerberos, simple message block (SMB), or Novell Directory Services (NDS). When a user enters login credentials for these protocols, he or she must provide a username and password, but must supply an additional identifier, such as an appropriate realm, domain, or tree/context, for authentication. In some authentication schemes, the user can select the realm, domain, or tree/context from a list preconfigured by a system administrator (SA) and displayed on a user interface (UI) of the device. However, the device may not allow for enough values to be preconfigured and/or all values may not be configured for all devices. The latter problem is particularly true for international companies where traveling employees would not find their information on the preconfigured list. Even if a user was allowed to manually enter information, it is often difficult for a user to remember a realm, context/tree, or a domain on top of his/her user name and password. In addition, allowing a user to manually enter his or her own information for authentication purposes poses a security risk, since the user could be authenticated for use of servers on the network for which they do not have proper permissions.
Some prior solutions to this problem include the creation and use of guest accounts, alterations of preconfigured lists to include visiting employees, and/or disabling of network authentication. Others include a card reader or the like that reads a card, such as a swipe card or smart card, that holds the users realm, domain, or tree/context. All of these solutions, however, suffer from drawbacks including reduced security, time-intensive addition of tasks to SA work loads, and inconvenience.
To overcome the drawbacks outlined above with minimal security risk, inconvenience, and SA work load increase, embodiments include a method in which a network authentication process (NAP) connected to a device receives an authentication request via the device UI. The NAP gathers user credentials including user name and password from that request, and forwards the user name to a directory server, such as an LDAP server, requesting the appropriate additional authentication values (realm, domain, or context based on the configured authentication protocol) for that user. In embodiments, the method feature is enabled by a SA, such as via Simple Network Management Protocol (SNMP) or a Web based UI. Additionally, embodiments allow a SA to configure what field(s) on the directory server contains the required information.
In embodiments, once the information is pulled from the directory server, it is parsed by the NAP to extract specific values needed. The parsed value is then used when passing the user's credentials to the authentication server. This way the user does not need to know his or her realm, domain or context.